When the Office of Management and Budget released it memorandum on remediating cybersecurity incident in response to the 2021 executive order on improving the nation’s cybersecurity, the memo marked a major shift in how federal agencies collect, retain and manage event logs across their systems and networks.

Essentially, OMB M-21-31 aims to increase government visibility before, during and after a cybersecurity incident — log data from information systems, be it on premise or hosted by third-party providers like cloud services, is crucial for detecting, investigating and addressing cyberthreats.

The memo introduced different logging maturity levels to help agencies prioritize their efforts and resources, allowing them to make progress toward fully implementing the memo’s requirements over time.

“That’s a 44-page document that the federal government released. It’s very in-depth, and the requirements are very broad. Very broad means very complex, which means very extensive for departments and agencies to adopt,” said Robert Bair, chief information security officer in residence at Zscaler.

While the memo mandates expanding data collection to increase visibility and information sharing, it offers limited guidance on how agencies should operationalize this information, Bair pointed out during a panel discussion for Federal News Network’s Cyber Leaders Exchange 2024.

Bair, along with Rob Sheldon, senior director for public policy and strategy at CrowdStrike, discussed the challenges that agencies face in meeting the mandates in competing cyber directives as well as federal efforts and evolving technology that can help them navigate today’s cyber landscape.

Tackling directive, workforce challenges on multiple fronts

In addition, agencies find themselves juggling multiple directives, including the executive order on improving the nation’s cybersecurity; the executive order on safe, secure and trustworthy development and use of artificial intelligence; and the mandate to meet zero trust cybersecurity principles. These mandates are placing increasing demands on agencies, with smaller agencies struggling the most due to limited resource and cyber expertise, Bair said.

Bair knows the challenges from his own federal experience — in the Navy, at the Defense Department and at the White House. “As a former incident responder, when I was in uniform in the federal government, there was nothing more frustrating than showing up to a victim organization and asking for their logs, and they say, ‘About that, we don’t have them.’ So I think this is a very good thing,” he said. “I think it’s going to take a little bit of time for federal departments and agencies to hash this out.”

Indeed, the Government Accountability Office, for instance, found that 20 out of 23 civilian agencies did not meet the necessary requirements for event logging, which is essential for investigating and responding to cyber threats — the OMB required agencies to reach the advanced tier, Level 3, by August 2023. Of those 20 agencies, three were at the basic tier, Level 1, and 17 are at the not effective or at Level 0, meaning logging requirements of highest criticality were not met.

Agencies highlighted a lack of staff as one of the main challenges hindering their ability to prepare for and respond to cyber incidents. Agencies are also struggling with event logging technical challenges and limitations in cyberthreat information sharing, Sheldon said.

Efforts such as onsite cyber incident response assistance from the Cybersecurity and Infrastructure Security Agency, event logging workshops and guidance improvements to a cyberthreat information sharing platform have been helping agencies address those roadblocks.

In addition, the White House Office of the National Cyber Director said it will launch a new hiring sprint this fall to help federal agencies fill about 3,000 open technology positions, which is part of the National Cyber Workforce and Education Strategy implementation. (Learn more about ONCD cyber workforce efforts shared by Deputy National Cyber Director Harry Wingo during our Cyber Leaders Exchange 2024.)

“We see a renewed focus on the federal cybersecurity workforce or the cyber workforce in general. You see the memo coming out of the Office of the National Cyber director … taking away some of the degree requirements and really making it easier and lowering the barriers to entry for the for the cyber workforce, which we think is a great thing. But at the end of the day, I think we’re still 500,000 skilled workforce short — that makes it a challenge,” Bair said.

Taking advantage of evolving cybersecurity solutions

What’s more, as the digital environment continues becoming more complex with the rise of cloud computing, agencies also face the challenge of ensuring data is captured across both on-premise and cloud environments, Sheldon said. The shift requires more coordination and better integration than managing solely on-premise environments, he said.

“We’re in a really interesting time in the cybersecurity industry right now. We’re now in a time when people in the industry are looking for [next-generation security information and event management] solutions that can help integrate some of these different sorts of technologies,” Sheldon said. “And part of that is just this flexibility and trying to build a sort of architecture that will last for a generation, depending on how we define that.”

For agencies and federal contractors, that means working together to implement solutions that create straightforward workflows for people doing security work, he said.

Federal security teams need visibility across multiple aspects of their networks. Today, cyber capabilities are evolving to provide a coherent approach “to be able to work through either threat hunting proactively across all those different platforms and systems, or at least to be able to quickly process and aggregate alerts or logs that are generated from across these disparate technologies,” Sheldon said.
“That is the vision that we’re all moving toward now.”

Discover more articles and videos now on Federal News Network’s Cyber Leaders Exchange 2024 event page.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.